Professional Web Applications Themes

how does cookieless = true work - ASP.NET General

Can anyone explained to me how the session state - cookieless = true work? Where is the information stored in the URL? I am concern hat some one can use that to the advantage (hacker). I have session state set to stateserver so does that make any difference? Thanks Grant...

  1. #1

    Default how does cookieless = true work

    Can anyone explained to me how the session state - cookieless = true work?
    Where is the information stored in the URL? I am concern hat some one can
    use that to the advantage (hacker). I have session state set to stateserver
    so does that make any difference?



    Thanks

    Grant


    Grant Guest

  2. #2

    Default Re: how does cookieless = true work

    Grant,

    Yes then the session id is stored in the url.

    Normally the session id is stored in a cookie on the user's machine.

    There is no difference if sessions are stored on the server or on a state
    server as long as the page receives the session id from the client in one
    form or another.

    I'm not positive if there are any security repercussions if the session id
    is in the url vs. a cookie.

    Sincerely,

    --
    S. Justin Gengo, MCP
    Web Developer

    Free code library at:
    www.aboutfortunate.com

    "Out of chaos comes order."
    Nietzche


    "Grant" <com> wrote in message
    news:phx.gbl... 
    stateserver 


    S. Guest

  3. #3

    Default Re: how does cookieless = true work

    What you store in the URL is the session ID of the current session. The
    danger is session hijacking - somebody can use your session ID to pretend to
    be you. In this case, the session ID is both in plain view (in the URL) and
    stored on the hard drive, neither of which is true if you are using session
    cookies. So it's a little bit easier to steal somebody's session, but it's
    not as if they are otherwise unable to do so. If you have a truly dedicated
    hacker, sniffing packets will reveal both being sent over the wire in
    unencrypted text, so if your information is valuable, make sure you are
    using HTTPS. With a secure connection, everything will be encrypted.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows XP
    Windows XP Associate Expert
    --
    "Grant" <com> wrote in message
    news:phx.gbl... 
    stateserver 


    Chris Guest

  4. #4

    Default Re: how does cookieless = true work

    The actual Session data never leaves the server. This is true of both
    Cookie-FUL and Cookieless Sessions. The only data sent back and forth from
    the client is the Session ID. This identifies the Session on the server that
    belongs to the client at the time. So, you don't need to be concerned at
    all. :)

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    http://www.takempis.com
    The more I learn, the less I know.

    "Grant" <com> wrote in message
    news:phx.gbl... 
    stateserver 


    Kevin Guest

  5. #5

    Default Re: how does cookieless = true work

    Exactly.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    http://www.takempis.com
    The more I learn, the less I know.

    "Grant" <com> wrote in message
    news:%phx.gbl... 
    the [/ref]
    from 
    > that [/ref]
    > work? [/ref]
    > can 
    > > stateserver 
    > >
    > >[/ref]
    >
    >[/ref]


    Kevin Guest

  6. #6

    Default Re: how does cookieless = true work

    Side-note: it's also easier to socially engineer a session hijacking using
    cookieless sessions. "Can you send me a link to that?" - now, the bad guy
    has hijacked your session, and, for the purpose of the application, is you.
    No packet sniffing or local access needed.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows XP
    Windows XP Associate Expert
    --
    "Chris Jackson" <org> wrote in message
    news:uhv$phx.gbl... 
    to 
    and 
    session 
    dedicated [/ref]
    work? [/ref]
    can 
    > stateserver 
    >
    >[/ref]


    Chris Guest

Similar Threads

  1. Replies: 4
    Last Post: December 13th, 04:31 PM
  2. Replies: 0
    Last Post: November 14th, 07:45 AM
  3. Replies: 0
    Last Post: November 14th, 12:36 AM
  4. Replies: 0
    Last Post: November 13th, 03:58 PM
  5. .NET Framework 1.1 and cookieless=true in web.config file
    By James Martin in forum ASP.NET General
    Replies: 0
    Last Post: July 22nd, 06:56 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139